Re: [quicwg/base-drafts] What needs to be checked for address validation (#3327)

Martin Thomson <> Sun, 16 February 2020 23:10 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 4D86E120091 for <>; Sun, 16 Feb 2020 15:10:55 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -7.999
X-Spam-Status: No, score=-7.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_IMAGE_ONLY_32=0.001, HTML_MESSAGE=0.001, MAILING_LIST_MULTI=-1, RCVD_IN_DNSWL_HI=-5, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id jf6Axn58I2J5 for <>; Sun, 16 Feb 2020 15:10:54 -0800 (PST)
Received: from ( []) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 0A0EF12008A for <>; Sun, 16 Feb 2020 15:10:54 -0800 (PST)
Received: from ( []) by (Postfix) with ESMTP id 60724960224 for <>; Sun, 16 Feb 2020 15:10:53 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=pf2014; t=1581894653; bh=ThajqVerv9m6+uzaRTGBGdCF82j1n17vxwFwEiWQhls=; h=Date:From:Reply-To:To:Cc:In-Reply-To:References:Subject:List-ID: List-Archive:List-Post:List-Unsubscribe:From; b=sk9Hg/UNJ42tjgLG9UevX3gx2QPSS9MpaO0hXQVpntEU7MH5wg7spRzKw+myP81oa iAy3OsBp/+INqFIoWSrRF6/fVUuHuT/MmAZ6aVAsmwt609yuV2FQDiiEUbVRpYN0Iv /ZXA5+LPIC/od5gu8V4LbPC91DODG+fdKUuiHcIg=
Date: Sun, 16 Feb 2020 15:10:53 -0800
From: Martin Thomson <>
Reply-To: quicwg/base-drafts <>
To: quicwg/base-drafts <>
Cc: Subscribed <>
Message-ID: <quicwg/base-drafts/pull/3327/review/>
In-Reply-To: <quicwg/base-drafts/pull/>
References: <quicwg/base-drafts/pull/>
Subject: Re: [quicwg/base-drafts] What needs to be checked for address validation (#3327)
Mime-Version: 1.0
Content-Type: multipart/alternative; boundary="--==_mimepart_5e49cbfd51bad_7e473fa681ecd968101168"; charset="UTF-8"
Content-Transfer-Encoding: 7bit
Precedence: list
X-GitHub-Sender: martinthomson
X-GitHub-Recipient: quic-issues
X-GitHub-Reason: subscribed
X-Auto-Response-Suppress: All
Archived-At: <>
X-Mailman-Version: 2.1.29
List-Id: Notification list for GitHub issues related to the QUIC WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Sun, 16 Feb 2020 23:10:55 -0000

martinthomson commented on this pull request.

> @@ -1834,10 +1834,9 @@ SHOULD include information that allows the server to verify that the source IP
 address and port in client packets remains constant.
 Servers might use tokens from NEW_TOKEN in deciding not to send a Retry packet,
-even if the client address has changed.  A token that was provided in
-NEW_TOKEN cannot be used for address validation if the client address is not the
-same, though servers MAY allow for the possibility of changes arising from new
-mappings at a NAT.
+even if the client address has changed. Tokens sent in NEW_TOKEN frames SHOULD
+include information that allows the server to verify if the client address is
+stable, but might allow for different NAT bindings or ephemeral port selection.

== on IP and port would be one example, but the emphemeral port example clearly leads to just IP == IP.

Should we just say "IP MUST be the same" instead?  That's not good always (see CGNAT) and I want to avoid creating the impression that this is sufficient, even if it might be sufficient.

You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub: